Draft cyber executive order excludes commercial products

A new draft of the White House's cybersecurity executive order maintains the administration's effort to improve the digital defenses of critical infrastructure — but it includes a number of changes, following several administration meetings with stakeholders.

The Nov. 21 draft obtained by POLITICO grants more time to the feds to devise and implement a voluntary system to protect power plants, water systems and other forms of critical infrastructure from crippling attacks. Yet it makes clear that commercial products won't fall into that category.

Text Size

-

+

reset

It further calls on the feds to figure out how to incentivize companies to agree to abide by new security standards. And it leaves it to agencies to figure out whether cybersecurity should factor into the federal procurement process.

The White House declined to comment Friday on the draft, its contents and the timing for a final order.

Release of a cybersecurity executive order isn't necessarily imminent. Still, there's a growing sense among stakeholders that the Obama administration has hit the gas on its efforts to improve the country's digital defenses, after the Senate failed for a second time to pass legislation the president supported. In the meantime, the White House also has amplified its outreach to industry that would be most affected by its new plans.

"The National Security Staff has held over 30 meetings with industry, think tanks, and privacy groups, meeting directly with over 200 companies and trade organizations representing over 6,000 companies that generate over $7 trillion in economic activity and employ more than 15 million people," Caitlin Hayden, a spokeswoman for the White House, told POLITICO on Friday.

In general, the latest draft order follows the same contours as another draft that leaked at the end of September —improving cybersecurity practices at critical infrastructure, and pursuing new information-sharing capabilities.

But the new version appears to specify in clearer terms that NIST would lead the way in developing a so-called Cybersecurity Framework, to identify gaps in the country's digital defenses and set forward standards and methodologies to address the risks.

In the latest proposal, agencies have more time — 240 days, rather than 180 days — to put forward their initial draft of that framework, but still have a year after that to publish the final guidance. And the new version emphasizes the framework should be developed through "open public review and comment," and reviewed every three years.

The September draft, shared among top deputies, had called on federal agencies to report on ways to make any new voluntary measures mandatory. The new draft preserves the section, and it asks agencies to evaluate if their current cybersecurity authorities are sufficient or duplicative.

It also tasks the Pentagon and other agencies to determine whether the government procurement process — a multi-billion-dollar industry — should grant preferences to vendors adhering to strong cybersecurity standards. And it includes a key, highly desired carve-out for commercial IT: It makes clear those products cannot be designated as critical infrastructure at the greatest risk, which is an exception that industry had sought in legislation.

The new draft further requires the Commerce and Treasury Departments to devise recommendations on how to incentivize companies to participate — a key sticking point for the Obama administration, which has said it can only provide the best incentives to businesses through an act of Congress.

This article first appeared on POLITICO Pro at 2:33 p.m. on November 30, 2012.